1. Field
The present invention relates to a method for attesting a plurality of data processing systems.
2. Description of the Related Art
Trusted boot is a process for booting and establishing a chain of trust in a computing system. With reference to the environment (100) of FIG. 1, for example, a system administrator takes delivery of a server (a managed system (120)) and proceeds to install system software. The managed system (120) comprises a secure device (125), e.g. a TPM (Trusted Platform Module). Once the system (120) is configured and booting, each component (hardware and/or software) of the managed system (120) cryptographically measures another component and can “extend” (but not directly write to) a measurement value into a Platform Configuration Register (PCR) of the TPM (125). Each component is also operable to access an event log in order to write data associated with the measurement of a component into an entry associated with the event log.
The measurements can be remotely attested by a managing system (105) which has a database (115) to store expected attestation values for components of each managed system. The values would typically be stored along with some metadata describing what the values mean. The managing system (105) comprises a TPM emulator (110) for e.g., comparing the measurements with the values. If there is no match between the measurements and the values, typically, the managing system (105) further has to compare the measurements against a (large) list (e.g., a reference manifest) of measurement values provided by manufacturers of components. Typically, a reference manifest comprises a large number of measurement values associated with each component of a managed system (120) and these measurement values can be taken to be “trusted”.
The remote attestation process itself may be initiated by either the managing or managed system.
Changes to the managed system (120) can be detected by subsequent trusted boot and remote attestation processes.
The above processes are described, for example, in section 4 of the Trusted Computing Group (TCG) Specification Architecture Overview; Specification; Revision 1.4; 2 Aug. 2007 and section 2 of the TCG Infrastructure Working group Architecture Part II—Integrity Management; Specification Version 1.0; Revision 1.0; 17 Nov. 2006.
As described above, attestation is currently concerned with verifying a single machine, be it a physical machine with a real TPM or a virtual machine (VM) with a virtual TPM. This is a reasonable approach for owners of individual machines but typically, an end-user or corporation may deal in a granularity much larger than a single machine. For example a large corporation may wish to attest each of its VMs on a particular physical machine, or each of its VMs within a particular machine pool or each of its physical machines at a particular site. Similarly, datacenter owners may care about the integrity of their entire datacenter (and possibly sub-clusters within it). Instead of single machines, an entity may be concerned with tens, hundreds or even thousands of machines.